| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
fix heap array overflow
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes ticket1212
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes null ptr deref
Fixes Ticket1367
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
| |
Fixes Ticket1365
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
| |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes Ticket1377
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
| |
Fixes #1380.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
prevents out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
| |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
| |
Fixes #1368.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Such files are currently not supported as the table is used at several points
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
| |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes null ptr dereference
fixes Ticket1364
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes null ptr derefernce
Fixes Ticket1363
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
| |
Fixes Ticket1362
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes null ptr deref
Fixes Ticket1361
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
| |
Fixes ticket1360
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|
|
|
|
|
|
|
|
|
| |
Fixes Ticket1359
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* qatar/release/0.7:
Update RELEASE file for 0.7.6
Update changelog for 0.7.6 release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
x86: fix build with gcc 4.7
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
aacsbr: prevent out of bounds memcpy().
rtpdec_asf: Fix integer underflow that could allow remote code execution
dpcm: ignore extra unpaired bytes in stereo streams.
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
adpcm: ADPCM Electronic Arts has always two channels
h263dec: Disallow width/height changing with frame threads.
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
Conflicts:
Changelog
RELEASE
libavcodec/aacsbr.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
libavformat/rtpdec_asf.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The upcoming gcc 4.7 has more advanced constant propagation
resulting some inline asm operands becoming constants and thus
emitted as literals, sometimes in contexts where this results
in invalid instructions.
This patch changes the constraints of the relevant operands
to "rm" thus forcing a valid type. While obviously suboptimal,
this is what older gcc versions already did, and there is no
change to the code generated with these.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit da4c7cce2100a4e4f9276b4f17e260be47b53f41)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevents subsequent overreads when these numbers are used as indices
in arrays.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Conflicts:
libavcodec/qdm2.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
(cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Libav Bug 195.
Fixes CVE-2012-0850
This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.
Based on change by Michael Niedermayer.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: CVE-2011-3951
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e)
(cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4)
Conflicts:
libavcodec/dpcm.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This silences some valgrind warnings.
CC: libav-stable@libav.org
Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f)
(cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes a crash when FF_DEBUG_PICT_INFO is used.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)
Fixes: CVE-2012-0851
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852
(cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716)
Conflicts:
libavcodec/adpcm.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes CVE-2011-3937
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba)
Conflicts:
libavcodec/h263dec.c
Signed-off-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4be63587e110c05cda3101abf2e3745d919f3fae)
Conflicts:
libavcodec/h263dec.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes. Bailing out early if the header
specifies a bad size avoids various errors later on.
Fixes CVE-2012-0947.
Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CC: libav-stable@libav.org
(cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevents illegal reads on truncated and malformed input.
CC: libav-stable@libav.org
(cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prevents crashes because the old check was incomplete.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7fe4c8cb761b0fc8685dacf9f187311b9d124a52)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes crashes in codepaths not covered by original checks.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301)
Conflicts:
libavcodec/h264.c
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 746f1594d71dece6fd6f786447e19be9c200a07d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|
| |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Ticket1109
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Ticket1068
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
|\ \
| |/
| |
| |
| |
| |
| | |
* qatar/release/0.7:
Update changelog for 0.7.5 release
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes an AAC decoding issue with the sample from ticket #213 on machines
with SSE but without SSE2.
Based on 89411a by Reimar.
(cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928)
|
|\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* qatar/release/0.7: (84 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
RELEASE
libavcodec/atrac3.c
libavcodec/h264.c
libavcodec/h264_parser.c
libavcodec/kgv1dec.c
libavcodec/shorten.c
libavcodec/svq3.c
libavcodec/ws-snd1.c
libavcodec/xxan.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| |
| |
| |
| |
| |
| |
| | |
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
While bogus, this change avoids the necessity to backport
AVERROR_UNKNOWN, which is not entirely trivial.
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
|